Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
5
Replies

CCM Malformed SIP Packet Denial of Service

ilana_ilana
Level 1
Level 1

‎08-09-2016 01:40 AM - edited ‎03-17-2019 07:46 AM

Hello all,

Our client has recently installed CCM 11.0 and they found " Malformed SIP Packet Denial of Service " in their Cisco IPS.

On inquiry, we found that triggers are generating from 2 PC users (Desktop User) from network. System team are working to update the antivirus on effected PC but I want to assure from Call Manager side that is it safe enough to be NOT impacted with DOS attacks.

If its not what are the precautions to be followed to keep CCM secure ?

Regarding IPS, client has confirmed that IPS signatures are up to date.

Labels:
0 Helpful
5 Replies 5

Mohammed Khan
Cisco Employee
Cisco Employee

‎08-09-2016 02:41 AM

Hi ilana,

By default CUCM drop untrusted SIP signalling.However you can configured Secure SIP Trunk to add additional layer of security.

Procedure to configure Secure SIP trunk covered in below link.

https://supportforums.cisco.com/document/72956/cucm-sip-trunk-tls-configuration-and-troubleshooting

Regards,

Mohammed Noor

0 Helpful

ilana_ilana
Level 1
Level 1
In response to Mohammed Khan

‎08-09-2016 02:52 AM

Hello Mohammed,

There is no SIP Trunk between cluster. There was SIP Trunk between CUCM and VG which has been shifted to H.323 now but SIP Trunk is not deleted yet from CUCM database. 

Several SIP Phones are added into CUCM recently.

Is it due to that SIP Trunk (between CUCM & VG) ?

Regards,

0 Helpful

Mohammed Khan
Cisco Employee
Cisco Employee
In response to ilana_ilana

‎08-09-2016 02:56 AM

SIP Trunk to VG should not Cause "Malformed SIP Packet Denial of Service". You can try deleting  SIP Trunk and check if that makes any difference since you have shift to H.323

0 Helpful

ilana_ilana
Level 1
Level 1
In response to Mohammed Khan

‎08-10-2016 11:04 PM

Hello Mohammed,

We found that Malformed SIP Packet Denial of Service is coming from SIP Phones.

Any idea why SIP phones are behaving like this ?

Regards,

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to ilana_ilana

‎08-11-2016 03:33 AM

Hi,

There are many aspects here:

1. Are the SIP clients on the PCs trying to reach your CUCM and getting blocked by IPS. I don't think so because Cisco SIP Clients are fully Complaint with Cisco Security Suite. You can check this if the IPS is configured to capture blocked packets

2. These might be 3rd Party SIP Clients which your users are using for personal voip calls. In this case, the alert isn't relevant to your CUCM

3. Your security team needs to dig deeper in the packets but my god feeling that its because of SIP client setting behind NAT device. When SIP Natted packets are seen by IPS they are most likely blocked because of mismatch between headers natted IP and SDP private IP. I have seen this widely.

4. Finally, its very important to make sure your CUCM subnet is well secured and I believe you need to look at CUCM security guide for this. But start with making sure that Data and CUCM shouldn't talk to each other

0 Helpful
Customers Also Viewed These Support Documents